Solved Windows 11 device encryption, Benefits and problems

Dear experts,
U received my notebook with device encryption on, but I turned it off. Now I am considering to turn it on my device gets stolen, lost or the notebook would not turn on anymore (than I would have to sell it without having erased my files)
I understand that device encryption is beneficial in case of lost or stolen notebook, but an expert could still gain access to the data somehow, no?
Does device encryption have other benefits?
Can it cause problems in case that you need to revert to a restore point, use a recovery drive? could it cause file corruption or any other kind of problem?
Thanks

BitLocker Encryption is a security measure in case the laptop is lost or stolen.

However, It does not prevent viruses or malware being installed if you are logged in.
Also, If you want to resell the computer, you can Format the drive and Install Windows without having to provide a Bitlocker key.

abactuon said:

Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45%

BitLocker software encryption slows performance. Here's how to fix it.

www.tomshardware.com

Click to expand...

That is no surprise. Thanks for confirming it.

Disabling and turning OFF bitlocker is the very first thing I do when I have to deal with a new laptop.

if you just want to encrypt the whole of C: drive then this maybe of use.

VeraCrypt open source encryption software

best of luck, Steve ..

An expert can access the data of a stolen laptop k with device encryption on, no?

Asus S5606 said:

An expert can access the data of a stolen laptop k with device encryption on, no?

Click to expand...

From Copilot:

If your stolen laptop has device encryption enabled, then accessing its data is extremely difficult—even for experts. Here's why:

What Device Encryption Does

• It encrypts the entire disk, meaning all files are scrambled using a cryptographic key.
• Without the correct decryption key or credentials, the data appears as meaningless gibberish.

Can Experts Still Break In?

In theory: Yes, with enough time, resources, and vulnerabilities, a nation-state-level actor might attempt it.

• In practice: For most attackers, it's not feasible. They’d need:
• Access to the decryption key (e.g., via password, recovery key, or TPM chip)
• Exploitable flaws in the encryption algorithm (rare with modern standards like AES)
• Physical access to the device while it’s unlocked or in sleep mode, which could expose memory-stored keys

Exceptions & Risks

• If the laptop was powered on or in sleep mode when stolen, some encryption keys might be accessible via memory (a “cold boot attack”).
• If the user stored passwords or recovery keys insecurely (e.g., written down or synced to cloud without protection), that could be a weak point.
• Firmware-level attacks or evil maid attacks (where someone tampers with the device physically) are rare but possible.

Bottom Line

If your laptop was fully shut down and device encryption was active, your data is very well protected. Even seasoned hackers would struggle without the keys.

There is a lot of debate about how much device encryption helps (not referring to full bitlocker).

When you login to a laptop, it automatically decrypts the drives so drives can be accessed.

So in the end, the laptop is only as secure as tje users login password, hence one should ensure a strong password.

However, it is possible to bypass the login password by booting from a usb drive with appropriate hacking software.

So to harden the laptop access, one should also use a strong bios password so users cannot boot from a usb drive unless they have the password.

In the end, device encryption only really protects drives from being removed and data accessed by another pc ASSUMING hacker cannot bypass login.

So it is vital that you have at least a strong Windows password, and advisable to have a strong bios password which is basically true EVEN if device is not encrypted.

With full bitlocker, you can set up a bitlocker PIN such that a user has to enter pin before starting windows. I am not certain without testing if you can do this on the simpler device encryption but I think it can be done. I would only do this if data was mega critical.

In the end, the best approach is to not store critical data on laptop in the first place e.g. use external removable drives that ca be kept safe more safe from theft (e.g. do not keep such drives in laptop case).

So in simple terms device encryption only really helps if a strong windows password (plus other features like facial passwords) is used. Adding a strong bios password adds additional security.

Kind of obvious but also do not use netplwiz or similar to autologin.

It is virtually impossible to fully protect a stolen laptop with device encryption but one can take steps to prevent drive access by all but really knowledgable thieves after your data (fortunately most thefts are just opportunistic).

cereberus said:

It is virtually impossible to fully protect a stolen laptop with device encryption but one can take steps to prevent drive access by all but really knowledgable thieves after your data (fortunately most thefts are just opportunistic).

Click to expand...

This is true. Laptop thieves usually don't care about the data. They want the hardware for its resale value, but a solid BIOS admin password and limited boot options can make it all but impossible for someone to pawn off a stolen laptop, because they won't be able reinstall an operating system after they wipe or replace the system drive.

Asus S5606 said:

Does device encryption have other benefits?

Click to expand...

It slows down overall performance. I see no reason to encrypt everything, just to encrypt a few MBs of data.
The only problem might be pagefile, which can be removed or encrypted at shutdown, other than that, there is nothing.

Asus S5606 said:

An expert can access the data of a stolen laptop k with device encryption on, no?

Click to expand...

This is the main problem..... What is secure today might not be secure tomorrow.
IT security is a cat and mouse game..

This is the latest proof of concept why Windows Hello Biometrics and Bitlocker becomes useless

the problem with security is that it is made for honest people
dishonest people have a tendency to ignore it.

best of luck, Steve ..

I will try to make this as non-technical as i can and the sentence after this one might create a lynch-mob, but read the third and fourth one before you react.

Windows is the most insecure operating system in the world...
Why? ... Microsoft has around 78% of the market-share on desktop and laptops, Mac-OS has around 12% and Linux has around 4%.
Therefore Windows is the most attacked system in the world as hackers want to make money, get hold of secrets and hack as many system they can... so 1+1=2 they go for the biggest target and that is Windows and therefor it becomes the most vulnerable system in the world, as its targeted and attacked 24/7, 365 days a year both from criminal hackers but also by state actor hackers.

If Windows had a 4% market share and Linux had a 78% market share on Desktops and laptops, Then Windows would be way-way-way more secure as less hackers would spend time to even try to find vulnerability's to exploit in windows... They all would target Linux!!

So to make Windows more secure you should use third party security solutions.
Bitlocker is 78% so its heavy targeted.. There is malware/ransomware that is written to actually use Bitlocker you encrypt the system for ransom.

When i use Windows, the first thing i kill (down to file level) is Bitlocker, RDP and then i have a few things more i dont remember by hart, but i have in my windows-cheat-sheet.
I never ever encrypt the system disk as it slows down the disk performance.. I have a separate partition or container encrypted with Veracrypt..
And You, should, not, have passwords saved in the browser.. you should use a password manager.
I use KeePassXC (as it is a cross over platform solution and open source so people can inspect the cod, so it isn't any backdoors in the software)..
That database file, I store that one in an encrypted container on a removable media. So even if my computer is stolen.. My passwords are safe even 100years from now even with super quantum computors as they never got the file that contains the passwords. Here many thinks.. Cloud solutions is good as then the file isn't local.... Yeah, but then you cant decrypt your stuff if internet is down..

For 2FA i use Yubikey or web-based e-mail on less important stuff... Never have 2FA on the same device as you have the passwords. If it gets compromised or stolen, then they have access to both for brute-force attacks.

Never store life critical sensitive information on a laptop. Have it on an encrypted external disk (keep duplicates as data recovery is near to impossible on an encrypted disk)
When you need to store sensitive data and you cant hide the disk.. Create an encrypted container and within that one create another one (with a different super strong passwords of course) If it takes them 50years to brute-force the first container.. it will probably take them another 15-20 years to break the other one as they get newer hardware.. That is 65-70 years from now

But the key thing to make Windows more secure is to not use the built in stuff as that is targeted 24/7 everyday and what is secure today might not be secure tomorrow.
And device isolation for real critical stuff. So even if the daily driver device get hacked.. The critical stuff is still safe
I have a separate laptop for Banking and that stuff... that one i never-ever-ever do anything else on... It even have a total locked down firewall so it can only connect to those services.. Then i have an air-gaped (offline computer) for storing sensitive information.. and also on encrypted disks.

Now you can lynch me if you think I'm wrong.


Darn 6am.. i should have been in bed almost an hour ago.. I might have written some bad english as I'm tired.. But so be it.
Good night Folks